Back in June, a couple of hundred people packed into a conference hall at Infosecurity Europe 2016. The title of the session was ‘Securing the Connected Human’ and it was described in the show guide as being about security awareness training. Those who attended in the hope of getting some tips on how to do it, or some reassurance that what they’re currently doing is right, probably walked away mightily disappointed.
Those on the panel clearly know what they’re talking about. One was the awareness training program manager at Uber and another was a leading academic in the field. One was a well-known CISO, and yet a common message from the majority of the panel was that the current system is broken. So badly broken, in fact, that we need to stop doing any more training in security awareness while we all go away and start again from scratch.
You could almost hear the audience gasp. It’s hard to say whether this was in surprise or grudging agreement.
The aim of the game is clear, though. “To date the security community has focused on using technology to secure technology, totally ignoring the human element”, says Lance Spitzner, director of the SANS Securing The Human program. “As a result”, he continues, “the human is the weakest link. Until we also start securing people, the bad guys will continue to win”.
The science (or is it an art?) of educating someone to take security seriously is not easy. The typical IT kit on a modern employee’s desk is massively overpowered and expecting them to protect it all from the bad guys is asking a lot. This is exacerbated by the fact that there is no single authoritative place they can go for help. Yes, there’s Action Fraud (or non-action Fraud, as a senior security person described it to me recently), and there’s Get Safe Online, and there’s also the dedicated cyber section on every one of the 40-odd UK police force websites. There’s every bank site too, and as one panelist said, “there’s a lot of conflicting advice. Even worse, a lot of it is rubbish.” I recently heard someone suggest that a password should be considered insecure if it results in more than three hits when you type it into Google!
If there’s a topic for which the moniker “death by PowerPoint” fits perfectly, security training must surely be it. We take people away from a task they’re perfectly happy doing, and which they’re keen to finish by the end of the day. We sit them in a room and bombard them with a list of 500 things not to do. Then we send them away and expect them to remember them all for the next six months. Not only do they not remember more than three of those 500 things, we as managers have no way to discover which three they do recall, or, more importantly, which 497 they forget.
There are alternatives to classroom-based learning with online courses offered by many companies. In corporate land they’re known as computer-based training (CBT). Educationalists are keen users of the Learning Management System (LMS) or Virtual Learning Environment (VLE). Think of them as an intranet that also hosts CBT courses. University students nowadays spend more time in their LMS or VLE than attending lectures, but while it’s easy to get students to log into a separate system to undertake learning, pulling employees away from the day job can be a distraction regardless of whether the destination is a website or the conference room.
So if the current training methods are broken, how can we mend them? One of the panelists was Professor Angela Sasse from the Institute in Science of Cyber Security at University College London. She says that the advice given must be actionable, i.e. that people can actually take it away and make use of it. Don’t use a training session as an excuse to read out your corporate IT security policy. Instead, tell them about a real risk, explain the consequences, and teach them how to mitigate it. If it turns out that staff aren’t following the advice you give them, find out why and adapt the training accordingly, and don’t expect the complete program cycle to take less than two years.
While Professor Sasse says that we need to work with those who don’t follow our advice, not everyone takes the same attitude. In March Sir Bernard Hogan-Howe, head of the Metropolitan Police, suggested that banks should stop compensating victims of online fraud because it merely rewards bad behavior. Support for the idea was, unsurprisingly, limited, but it did initiate a much-needed debate in the media about who is to blame when a company PC gets hit by ransomware or data theft.
Are we giving employees too much responsibility and too much access to data? Are we ignoring the Need to Know rule? “Too often we see businesses giving social media responsibility to the youngest member of the team, with no experience of marketing, based on the fact that they use social media in their personal life” says James Dempster, managing director of Brighton-based Cobb Digital.
We need to be careful not to throw the baby out with the bath water. While there may be problems with the current methods of security awareness training, describing it as completely broken is unfair. It does work, but clearly we as an industry must do better. We need to be able to measure the success of whatever program we deploy, and we need to train people more often than once or twice a year, and we need to understand what we mean by training.
“We are assuming that just because we train people, they will change behaviors”, says Kai Roer, founder and CEO of CLTRE. “What we need is not a new approach to training employees, what we need is a way to measure that change in behaviors.”
Start again from scratch? Not necessarily, but clearly a rethink of security awareness training is called for.